diff options
Diffstat (limited to 'pyaggr3g470r/controllers/abstract.py')
-rw-r--r-- | pyaggr3g470r/controllers/abstract.py | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/pyaggr3g470r/controllers/abstract.py b/pyaggr3g470r/controllers/abstract.py index c084deb9..f1173817 100644 --- a/pyaggr3g470r/controllers/abstract.py +++ b/pyaggr3g470r/controllers/abstract.py @@ -9,11 +9,25 @@ class AbstractController(object): _db_cls = None # reference to the database class _user_id_key = 'user_id' - def __init__(self, user_id): + def __init__(self, user_id=None): + """User id is a right management mechanism that should be used to + filter objects in database on their denormalized "user_id" field + (or "id" field for users). + Should no user_id be provided, the Controller won't apply any filter + allowing for a kind of "super user" mode. + """ self.user_id = user_id def _to_filters(self, **filters): - if self.user_id: + """ + Will translate filters to sqlalchemy filter. + This method will also apply user_id restriction if available. + + each parameters of the function is treated as an equality unless the + name of the parameter ends with either "__gt", "__lt", "__ge", "__le", + "__ne" or "__in". + """ + if self.user_id is not None: filters[self._user_id_key] = self.user_id db_filters = set() for key, value in filters.items(): @@ -37,17 +51,21 @@ class AbstractController(object): return self._db_cls.query.filter(*self._to_filters(**filters)) def get(self, **filters): + """Will return one single objects corresponding to filters""" obj = self._get(**filters).first() if not obj: raise NotFound({'message': 'No %r (%r)' % (self._db_cls.__class__.__name__, filters)}) - if getattr(obj, self._user_id_key) != self.user_id: + if self.user_id is not None \ + and getattr(obj, self._user_id_key) != self.user_id: raise Forbidden({'message': 'No authorized to access %r (%r)' % (self._db_cls.__class__.__name__, filters)}) return obj def create(self, **attrs): - attrs[self._user_id_key] = self.user_id + assert self._user_id_key in attrs or self.user_id is not None, \ + "You must provide user_id one way or another" + attrs[self._user_id_key] = self.user_id or attrs.get(self._user_id_key) obj = self._db_cls(**attrs) db.session.add(obj) db.session.commit() |